Avaya Configuring RADIUS Services User manual

  • Hello! I am an AI chatbot trained to assist you with the Avaya Configuring RADIUS Services User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Part No. 116752 Rev. A
May 1997
Router Software Version 11.02
Site Manager Software Version 5.02
Configuring RADIUS
ii
116752 Rev. A
4401 Great America Parkway 8 Federal Street
Santa Clara, CA 95054 Billerica, MA 01821
Copyright © 1988–1997 Bay Networks, Inc.
All rights reserved. Printed in the USA. May 1997.
The information in this document is subject to change without notice. The statements, configurations, technical data,
and recommendations in this document are believed to be accurate and reliable, but are presented without express or
implied warranty. Users must take full responsibility for their applications of any products specified in this document.
The information in this document is proprietary to Bay Networks, Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance
with the terms of that license. A summary of the Software License is included in this document.
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notice for All Other Executive Agencies
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in
the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Trademarks of Bay Networks, Inc.
ACE, AFN, AN, BCN, BLN, BN, BNX, CN, FN, FRE, GAME, LN, Optivity, PPX, Bay Networks, SynOptics,
SynOptics Communications, Wellfleet and the Wellfleet logo are registered trademarks and ANH, ARN, ASN,
BaySIS, BayStack, BayStream, BCNX, BLNX, EZ Install, EZ Internetwork, EZ LAN, PathMan, PhonePlus,
Quick2Config, RouterMan, SPEX, Bay Networks Press, the Bay Networks logo and the SynOptics logo are
trademarks of Bay Networks, Inc.
Third-Party Trademarks
All other trademarks and registered trademarks are the property of their respective owners.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, Bay Networks, Inc. reserves the
right to make changes to the products described in this document without notice.
Bay Networks, Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product are Copyright © 1988, Regents of the University of California. All rights
reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials,
and other materials related to such distribution and use acknowledge that such portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that
contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed
by third parties).
116752 Rev. A iii
Bay Networks Software License
This Software License shall govern the licensing of all software provided to licensee by Bay Networks (“Software”).
Bay Networks will provide licensee with Software in machine-readable form and related documentation
(“Documentation”). The Software provided under this license is proprietary to Bay Networks and to third parties from
whom Bay Networks has acquired license rights. Bay Networks will not grant any Software license whatsoever, either
explicitly or implicitly, except by acceptance of an order for either Software or for a Bay Networks product
(“Equipment”) that is packaged with Software. Each such license is subject to the following restrictions:
1. Upon delivery of the Software, Bay Networks grants to licensee a personal, nontransferable, nonexclusive license
to use the Software with the Equipment with which or for which it was originally acquired, including use at any
of licensee’s facilities to which the Equipment may be transferred, for the useful life of the Equipment unless
earlier terminated by default or cancellation. Use of the Software shall be limited to such Equipment and to such
facility. Software which is licensed for use on hardware not offered by Bay Networks is not subject to restricted
use on any Equipment, however, unless otherwise specified on the Documentation, each licensed copy of such
Software may only be installed on one hardware item at any time.
2. Licensee may use the Software with backup Equipment only if the Equipment with which or for which it was
acquired is inoperative.
3. Licensee may make a single copy of the Software (but not firmware) for safekeeping (archives) or backup
purposes.
4. Licensee may modify Software (but not firmware), or combine it with other software, subject to the provision
that those portions of the resulting software which incorporate Software are subject to the restrictions of this
license. Licensee shall not make the resulting software available for use by any third party.
5. Neither title nor ownership to Software passes to licensee.
6. Licensee shall not provide, or otherwise make available, any Software, in whole or in part, in any form, to any
third party. Third parties do not include consultants, subcontractors, or agents of licensee who have licensee’s
permission to use the Software at licensee’s facility, and who have agreed in writing to use the Software only in
accordance with the restrictions of this license.
7. Third-party owners from whom Bay Networks has acquired license rights to software that is incorporated into
Bay Networks products shall have the right to enforce the provisions of this license against licensee.
8. Licensee shall not remove or obscure any copyright, patent, trademark, trade secret, or similar intellectual
property or restricted rights notice within or affixed to any Software and shall reproduce and affix such notice on
any backup copy of Software or copies of software resulting from modification or combination performed by
licensee as permitted by this license.
Note:
This is Bay Networks basic license document. In the absence of a
software license agreement specifying varying terms, this license -- or the
license included with the particular product -- shall govern licensee’s use of
Bay Networks software.
iv 116752 Rev. A
Bay Networks Software License
(continued)
9. Licensee shall not reverse assemble, reverse compile, or in any way reverse engineer the Software. [Note:
For
licensees in the European Community, the Software Directive dated 14 May 1991 (as may be amended from time
to time) shall apply for interoperability purposes. Licensee must notify Bay Networks in writing of any such
intended examination of the Software and Bay Networks may provide review and assistance.]
10. Notwithstanding any foregoing terms to the contrary, if licensee licenses the Bay Networks product “Site
Manager,” licensee may duplicate and install the Site Manager product as specified in the Documentation. This
right is granted solely as necessary for use of Site Manager on hardware installed with licensee’s network.
11. This license will automatically terminate upon improper handling of Software, such as by disclosure, or Bay
Networks may terminate this license by written notice to licensee if licensee fails to comply with any of the
material provisions of this license and fails to cure such failure within thirty (30) days after the receipt of written
notice from Bay Networks. Upon termination of this license, licensee shall discontinue all use of the Software
and return the Software and Documentation, including all copies, to Bay Networks.
12. Licensee’s obligations under this license shall survive expiration or termination of this license.
116752 Rev. A
v
Contents
About This Guide
Before You Begin .............................................................................................................xiii
Conventions .....................................................................................................................xiv
Acronyms ......................................................................................................................... xv
Ordering Bay Networks Publications ............................................................................... xv
Bay Networks Customer Service .....................................................................................xvi
How to Get Help ..............................................................................................................xvi
For More Information ......................................................................................................xvii
Chapter 1
Starting RADIUS
How to Use This Manual .................................................................................................1-1
Before You Begin ............................................................................................................1-2
Enabling RADIUS ...........................................................................................................1-3
Specifying the Client’s IP Address ...........................................................................1-8
Specifying the Primary Server’s IP Address ............................................................1-9
Selecting a Protocol for RADIUS Authentication ....................................................1-11
Chapter 2
RADIUS Overview
How RADIUS Works .......................................................................................................2-1
Bay Networks RADIUS Implementation .........................................................................2-2
RADIUS Authentication ............................................................................................2-3
Using PPP for Dial-up Connections ...................................................................2-3
Using IP and IPX Unnumbered Protocols for PPP Connections .......................2-4
Configuring the Remote User to Work with the RADIUS Client .........................2-5
RADIUS Accounting .................................................................................................2-6
Using PPP for Dial-up Connections ...................................................................2-6
Configuring a Dial Service for RADIUS Accounting ..........................................2-6
Using RADIUS-Compatible Servers with the RADIUS Client ..................................2-7
vi
116752 Rev. A
Accepting Remote Users’ IP Addresses ..................................................................2-7
For More Information ......................................................................................................2-8
Chapter 3
Customizing the RADIUS Client Configuration
Modifying the Client’s IP Address ...................................................................................3-1
Modifying Service from Authentication to Accounting ....................................................3-2
Modifying the Protocol for RADIUS Authentication .........................................................3-3
Modifying the PPP Authentication Protocol ....................................................................3-6
Removing RADIUS Authentication and Accounting .......................................................3-8
Chapter 4
Customizing the RADIUS Server Configuration
Modifying the Primary Server’s Password ......................................................................4-1
Modifying the Server Mode .............................................................................................4-3
Authentication and Accounting UDP Ports .....................................................................4-3
Modifying the Server Response Time .............................................................................4-4
Modifying the Number of Client Requests to the Server ................................................4-4
Configuring Alternate Servers ........................................................................................4-5
Reconnecting to the Primary Server ..............................................................................4-7
Changing the Primary and Alternate Servers .................................................................4-7
Removing a Server Entry ...............................................................................................4-8
Appendix A
RADIUS Parameters
Client IP Address Parameter ......................................................................................... A-1
Server Configuration Parameters .................................................................................. A-2
Protocol Parameters for RADIUS Authentication ........................................................... A-5
Appendix B
RADIUS Parameter Defaults
Appendix C
Configuration Examples
Configuring RADIUS Authentication ..............................................................................C-2
Before You Begin .....................................................................................................C-2
Enable RADIUS Authentication ...............................................................................C-3
Select IP ..................................................................................................................C-4
116752 Rev. A
vii
Configuring RADIUS Accounting ...................................................................................C-5
Before You Begin .....................................................................................................C-6
Create a Backup Pool .............................................................................................C-6
Create a Dial Backup Circuit ...................................................................................C-7
Enable RADIUS Accounting ....................................................................................C-8
Configuring RADIUS Accounting and Authentication ....................................................C-9
Before You Begin ...................................................................................................C-10
Enable Dial Backup Service ..................................................................................C-10
Enable RADIUS Accounting and Authentication ...................................................C-10
Select IP for RADIUS Authentication ..............................................................C-11
Index
116752 Rev. A
ix
Figures
Figure 1-1. Configuration Manager Window ...............................................................1-3
Figure 1-2. RADIUS Client Configuration Window .....................................................1-4
Figure 1-3. RADIUS Menu .........................................................................................1-4
Figure 1-4. Choose WAN Serial Interface Type Window ............................................1-5
Figure 1-5. Sync Line Media Type Window ................................................................1-6
Figure 1-6. Async Line Media Type Window ...............................................................1-6
Figure 1-7. ISDN Switch Configuration Window .........................................................1-7
Figure 1-8. ISDN Logical Lines Window .....................................................................1-7
Figure 1-9. Primary Server Address Window .............................................................1-9
Figure 1-10. RADIUS Server Configuration Window ..................................................1-10
Figure 1-11. RADIUS Dial_In Slot Window ................................................................1-11
Figure 1-12. RADIUS Dial_In Protocol Window .........................................................1-12
Figure 1-13. Dial Optimized Routing Query Window ..................................................1-12
Figure 2-1. Sample Network Using RADIUS ..............................................................2-2
Figure 3-1. RADIUS Client Configuration Window .....................................................3-1
Figure 3-2. RADIUS Dial_In Slot Window ..................................................................3-3
Figure 3-3. RADIUS Dial_In Protocol Window ...........................................................3-4
Figure 3-4. Dial Optimized Routing Query Window ....................................................3-4
Figure 3-5. PPP Interface List Window .......................................................................3-6
Figure 3-6. PPP Line Lists Window ............................................................................3-7
Figure 4-1. RADIUS Server Configuration Window ....................................................4-2
Figure 4-2. RADIUS Server Configuration Window ....................................................4-5
Figure 4-3. Alternate Server Address Window ...........................................................4-6
Figure C-1. Sample Network Using RADIUS Authentication .....................................C-2
Figure C-2. Sample Network Using RADIUS Accounting ..........................................C-5
Figure C-3. Sample Network Configured for Dialing an Alternate Site ......................C-9
116752 Rev. A
xi
Tables
Table B-1. RADIUS Parameter Defaults ................................................................... B-1
116752 Rev. A
xiii
About This Guide
If you are responsible for configuring Remote Authentication Dial-In User
Service (RADIUS) software, read this manual.
Before You Begin
Before using this manual, complete the following tasks. For a new router:
Install the router (refer to the installation manual that came with your router).
Connect the router to the network and create a pilot configuration file (refer to
Quick-Starting Routers
,
Connecting AN and ANH Systems to a Network
, or
Connecting ASN Routers to a Network)
.
Make sure that your router is running the latest version of the Bay Networks Site
Manager and router software. For instructions, refer to
Upgrading Routers from
Version 7–10.xx to Version 11.0
.
If you want to Go to
Start RADIUS on a router using the parameter defaults Chapter 1
Learn about RADIUS and the Bay Networks
®
implementation of
RADIUS
Chapter 2
Change parameter defaults for the RADIUS client configuration Chapter 3
Change parameter defaults for the RADIUS server configuration Chapter 4
Obtain information about RADIUS parameters (this is the same
information you obtain using Site Manager online Help)
Appendix A
Quickly obtain the default value of a RADIUS parameter Appendix B
See RADIUS configuration examples Appendix C
Configuring RADIUS
xiv
116752 Rev. A
Conventions
bold text
Indicates text that you need to enter, command names,
and buttons in menu paths.
Example: Enter
wfsm &
Example: Use the
dinfo
command.
Example: ATM DXI > Interfaces >
PVCs
identifies the
PVCs button in the window that appears when you
select the Interfaces option from the ATM DXI menu.
italic text
Indicates variable values in command syntax
descriptions, new terms, file and directory names, and
book titles.
quotation marks (“ ”) Indicate the title of a chapter or section within a book.
screen text
Indicates data that appears on the screen.
Example:
Set Bay Networks Trap Monitor Filters
separator ( > ) Separates menu and option names in instructions and
internal pin-to-pin wire connections.
Example: Protocols > AppleTalk identifies the
AppleTalk option in the Protocols menu.
Example: Pin 7 > 19 > 20
vertical line (
|
) Indicates that you enter only one of the parts of the
command. The vertical line separates choices. Do not
type the vertical line when entering the command.
Example: If the command syntax is
show at routes
|
nets
,
you enter either
show at routes
or
show at nets
, but not both.
About This Guide
116752 Rev. A
xv
Acronyms
CHAP Challenge Handshake Authentication Protocol
IP Internet Protocol
IPX Internet Packet Exchange
IPXWAN Internet Packet Exchange Wide Area Network
ISDN Integrated Services Digital Network
ISP Internet service provider
ITU-T International Telecommunication Union–Telecommunications
(formerly CCITT)
LAN local area network
OSPF Open Shortest Path First (protocol)
PAP Password Authentication Protocol
POTS plain old telephone service
PPP Point-to-Point Protocol
RADIUS Remote Authentication Dial-In User Service
RIP Routing Information Protocol
SAP Service Advertising Protocol
TCP/IP Transmission Control Protocol/Internet Protocol
UDP User Datagram Protocol
WAN wide area network
Ordering Bay Networks Publications
To purchase additional copies of this document or other Bay Networks
publications, order by part number from Bay Networks Press
at the following
numbers:
Phone--U.S./Canada: 1-888-422-9773
Phone--International: 1-510-490-4752
FAX--U.S./Canada and International: 1-510-498-2609
Configuring RADIUS
xvi
116752 Rev. A
Bay Networks Customer Service
You can purchase a support contract from your Bay Networks distributor or
authorized reseller, or directly from Bay Networks Services. For information
about, or to purchase a Bay Networks service contract, either call your local Bay
Networks field sales office or one of the following numbers:
How to Get Help
If you purchased a service contract for your Bay Networks product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.
If you purchased a Bay Networks service program, call one of the following Bay
Networks Technical Solutions Centers:
Region Telephone number Fax number
United States and
Canada
1-800-2LANWAN; then enter Express
Routing Code (ERC) 290, when prompted,
to purchase or renew a service contract
1-508-436-8880 (direct)
1-508-670-8766
Europe 33-4-92-96-69-66 33-4-92-96-69-96
Asia/Pacific 61-2-9927-8888 61-2-9927-8899
Latin America 561-988-7661 561-988-7550
Technical Solutions Center Telephone number Fax number
Billerica, MA 1-800-2LANWAN 508-670-8765
Santa Clara, CA 1-800-2LANWAN 408-495-1188
Valbonne, France 33-4-92-96-69-68 33-4-92-96-69-98
Sydney, Australia 61-2-9927-8800 61-2-9927-8811
Tokyo, Japan 81-3-5402-0180 81-3-5402-0173
About This Guide
116752 Rev. A
xvii
For More Information
For information about Bay Networks and its products, visit the Bay Networks
World Wide Web (WWW) site at http://www.baynetworks.com. To learn more
about Bay Networks Customer Service, select Customer Service on the opening
Web page.
116752 Rev. A
1-1
Chapter 1
Starting RADIUS
Remote Authentication Dial-In User Service (RADIUS) defines a method of
centralizing authentication and accounting information for networks with many
remote dial-in users. By placing authentication and accounting functions in one
central location, you can improve security and better manage large networks.
In a network using RADIUS, the router is the RADIUS client. The client is the
connection point between remote users and a RADIUS server. The server has the
information that it needs to identify remote users and to keep accounting
information for each call.
How to Use This Manual
Understanding how this manual is organized should make it more useful to you.
The manual is organized as follows:
Star
ting RADIUS
Begin by reading this chapter, which explains how to enable RADIUS on your
router using a basic configuration, that is, a configuration that uses all of the
available parameter defaults.
RADIUS overview
Provides information about RADIUS authentication and accounting and the
Bay Networks implementation of these services. This information is in
Chapter 2.
Instructions for modifying the default configuration introduced in Cha
pter 1
These instructions are in Chapters 3 and 4. Most of the instructions assume
that you have read Cha
pter 1 and explain how to modify the default
configuration.
Configuring RADIUS
1-2
116752 Rev. A
The steps that instruct you to set a parameter value are followed by a box that
includes the Site Manager parameter and the location of the parameter
description in Appendix A. To read more about the parameter before setting a
value, refer to the specified page. You can also read these parameter
descriptions by clicking on Help in the Site Manager windows.
Parameter descriptions, parameter default tables, and configuration examples
This information is in Appendixes A through C.
Before You Begin
Before you enable RADIUS, do the following:
1.
Create and save a configuration file that has at least one wide area network
(WAN) interface.
2.
Retrieve the configuration file in local, remote, or dynamic mode.
3.
Specify the router hardware if this is a local-mode configuration.
4.
Configure the physical interface for any ISDN lines that you will use for
RADIUS.
Refer to
Configuring Dial Services
to learn how to configure ISDN lines.
5.
Configure one or more dial services so the RADIUS client can accept calls
from the remote user (RADIUS accounting only).
Configure dial-on-demand, dial backup, or bandwidth-on-demand service to
operate with RADIUS accounting. Refer to
Configuring Dial Services
for
instructions. Once you enable RADIUS authentication, the RADIUS client
automatically configures a dial connection; therefore, you are not required to
configure a dial service.
6.
Enable dial optimized routing on the remote routers (RADIUS authentication
only).
Dial optimized routing prevents Routing Information Protocol (RIP) updates
or Service Advertising Protocol (SAP) updates from keeping a line active
unnecessarily, thereby reducing the line costs. Enabling this feature improves
the operation of RADIUS authentication.
/